Wednesday, 7 March 2012

Securing Oracle Apex - Allow Rich Text Editing

We recently received an interesting correspondence:

I have a requirement to allow rich text editors for content that will be printed to other pages. I'm looking for something like OWASP AntiSamy or HTML Purifier that could be used in the PL/SQL to sanitize the input and thought maybe you would know where to look.

Thanks,

Greg

Using a known library like Antisamy is generally a good idea for several reasons;

Don't re-invent the wheel badly.

OWASP probably know a bit more about cross-site scripting than us.

Issues can be fixed centrally so everybody benefits.

So we decided to gather the relevant java libraries together and put together an Oracle package to leverage this excellent resource for Apex developers who want to display dynamic HTML marked-up content but significantly reduce the risk of cross-site scripting attacks.

First we created a very simple Apex application to test the vulnerability

This consists of two regions; one which contains the Apex rich-text editor and the other a PL/SQL region to output the results.

Click for larger version

As can be seen this works well, the user has turned the text green and this is correctly displayed in the Output region.

If we analyse the application with our ApexSec security analyser, we can see that there is a problem;

Click for larger version

ApexSec has identified both the cross-site scripting vulnerability and the item causing it, in this case the :P1_INPUT item.

We can quickly test the vulnerability by using the source button on the rich text editor.

Click for larger version

The source button allows us to type the HTML in as raw data, we raise a simple alert box this time (for more interesting exploits read our other blogs). Clicking the submit button leads to the predictable alert box;

Click for larger version

What is needed is a way to safely keep the tags that define the style but filter out the malicious tags that may lead to a cross-site scripting attack.

Installing the library
We install the Java library and wrapper into our schema in the 'developer days' Image (OBE);

$ loadjava -resolve -genmissing -user obe/obe Antisamy.jar

We install the PL/SQL call specifications for the installed Java library;

$ sqlplus obe/obe @recx_antisamy.sql

Function created.
Procedure created.

Calling the new library in the PL/SQL region is as simple as calling recx_antisamy_scan(stringToSanitise) function. When we re-scan the project using ApexSec we can see that there in no longer a cross-site scripting issue detected.

Click for larger version

By default the library uses the antisamy-tinymce-1.4.4.xml policy (the most restrictive - doesn't do colour) as shown above this can be changed to a more relaxed policy with the recx_antisamy_policy function, a full list of the installed policies are here.

We run a simple test again adding a script tag, this time the tag has been filtered by the antisamy library, but we have kept the formatting.

Click for larger version

Recx perform security audits of Apex code, as well as advising about secure Apex coding techniques. Contact us for information on how we can help you secure your Apex estate.

Thanks to Greg, for throwing down the gauntlet. For a copy of the eclipse project feel free to email us.

Disclaimer: THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.